We’re looking into enabling PowerShell Transcription Logging for all our workstations and servers but need a place to direct the logs to protect them against deletion/access and to facilitate searching in case of an incident. Is there a way to simply throw the logs at InsightIDR?
I’m reading online that some companies save the logs to a secure folder on a file server but I would prefer to have InsightIDR have eyes on it.
Thanks in advance…
If you do the method of saving the logs to a folder you could set it as a shared directory and then use watch directory or tail file for IDR to pull them. Alternatively depending on the setup up saving the logs if you have the option to simply syslog them then you can just send them to the collector on a specific port.
These would both be set up as custom logs in IDR
@nomenal after you configure the GPO with a destination folder where all transcription text file logs will be sent, you can setup a custom rapid7 event source with watch directory as the collection method. One thing I’ve noticed is the default format of those transcription logs can mess up the log ingestion so that each text file might come through as multiple IDR logs which can make querying very difficult. If you have the paid version of NXLog there is an available parser that works well, but that parser is not supported in the community edition (free one) of NXLog.